International Journal of Recent Innovation in Engineering and Research
Publication Impact Factor:-1.245
1.245 by I2OR
e- ISSN: 2456 – 2084
IMPROVEMENT OF CRYPTOGRAPHIC NETWORK PROTOCOL (SSH) FOR
MORE SECURE DATA COMMUNICATIONS
Maha A. Saya1 , Naofal mohamad hassin azeez2 and Rana sabah naser3
1,2,3
Dept. of Science – College of Computer Science &
&Mathematics – University of Thiqar
Thi
Abstract - SSH is a cryptographic network protocol for secure data communication remote command_
line login. The programmer uses it for protecting the transferred information between him and another
source. in some time, an attacker can hack it and take this information. To solve the problem, the
protocol must be more secure,, this paper aims to improve this protocol col by changing the file
configuration for it and increase the ratio of security.
I. INTRODUCTION
SSH, also known as Secure Socket Shell, is a network protocol that offers administrators with a
safe way to access a remote computer. SSH also refers to the group of utilities that implement the
protocol. Secure Shell provides authentication and secures encrypted data communications between two
computers connecting over an unsafe network such as the Internet. SSH is widely used by network
administrators for managing organizations and applications remotely, allowing them to log in to another
computer over a network, perform commands and move files from one computer to another.
The SSH first version appeared in 1995 and was designed by Tatu Ylönen, a researcher at
Helsinki University of Technology who founded SSH Communications Security. Over time various
flaws have been found in SSH-11 and it is now canceling. The current package of Secure Shell protocols
is SSH-22 and was adopted as a standard in 2006. It's not compatible with SSHSSH-11 and uses a Diffie-
Hellman key exchange and a stronger integrity check that uses message authentication codes to improve
security. SSH clients and servers can use some encryption methods, the mostly widely used being AES
and Blowfish.
As yet, there are no known weak points in SSH2, though information leaked by Edward
Snowden in 2013 suggests the National Security Agency may be able to decrypt some SSH traffic.
II. PROPOSED PLAN
In this paper , SSH is must be installed, it's important distinguishing between sshd-
sshd config. for
server and ssh-config.
config. for client , the work must be on Linux because it supports SSH. After opening
configuration file for SSH , the changing must be oon n port, banner, password , allowing and denying
users , specifying ratio of connection, and knowledge of attacker tries for accessing
III. METHODOLOGY
Ubuntu supports SSH; a programmer can know that by typing SSH in a terminal.
@IJRIER-All rights Reserved -2016
2016 Page 16
Volume: 01 Issue: 07 November – 2016
Fig. 1 illustrates that
All steps can be abstracted in the figure(2) :
Figure(2) the steps of proposed work
To install Open SSH Server , type in terminal
Sudo apt-get install open SSH-server
SSHd must be configured, and a programmer must distinguish between SSHd-config and SSH-config,
the last for a client.
A programmer will need to set it by editing the sshd_config file in the /etc/ssh directory.
First, make a backup of SSHd_config file by copying it to home directory, or by making a copy in
/etc/ssh by doing:
Sudo cp /etc/ssh/sshd-config /etc/ssh/sshd-config.original
For protection
Chmod a-w /etc/ssh/sshd-config
In this stage, the changes on file of SSHd-config must have happened
First open file
Sudo gedit /etc/ ssh/sshd-config
Creating a backup in /etc/ssh means a programmer can always be able to find a known-good
configuration when he need it.
SSHd-config is opened and changed by many steps :
1st( Disable Password Authentication):
Because many people with SSH servers use weak passwords, many online hackers will follow an
SSH server, then start guessing passwords at random. Ahacker can try thousands of passwords in an
hour, and guess even the strongest password given enough time. The proposed solution is to use SSH
keys instead of passwords. To be as hard to imagine a normal SSH key, a password would have to
contain 634 random letters and numbers. If a programmer can always be able to log in to own computer
with an SSH key, password authentication should be disabled.
To disable password authentication:
(#Password Authentication yes)
replace it to become:
Available Online at: www.ijrier.com Page 17
Volume: 01 Issue: 07 November – 2016
(Password Authentication no)
2nd (Disable Forwarding):
By default, a programmer can also tunnel specific graphical applications through an SSH
session. For example, a developer could connect over the Internet to his PC and run
nautilus "file://$HOME" to see his PC's home folder. This is known as "X11 forwarding".
While both of these are useful, they also give more options to an attacker who has already
imagined his password. Disabling these options gives a user a little security, but not as much as he'd
think. With access to a normal shell, a resourceful attacker can replicate both of techniques and a
specially-modified SSH client.
To disable forwarding, look for the following lines in sshd_config:
(AllowTcpForwarding yes)
(X11Forwarding yes)
and replace them with:
(AllowTcpForwarding no)
3rd ( Specify Which Accounts Can Use SSH):
A programmer can explicitly allow or deny access for certain users or groups. For example, if he
has a family PC where most people have weak passwords, he might want to allow SSH access just for
himselfIt's recommended to specify which accounts can use SSH if only some users want (not) to use
SSH.
To allow only the users Maha and Rana to connect to the own computer, add the following users
to the bottom of the sshd_config file.
(AllowUsers MahaRana)
To allow everyone except the users Duha and Zahra to connect to own computer, add the
following users to the bottom of the sshd_config file:
(DenyUsers Duha Zahra)
4th(Rate-limit the connections):
It's maybe to limit the rate at which one IP address can establish new SSH connections by
configuring the uncomplicated firewall (ufw). If an IP address is trying to connect more than 10 times in
30 seconds, all the following attempts will not pass since the connections will be DROPped. The rule is
added to the firewall by running command: (sudo ufw limit ssh)
login connections to the system may also be limited. This example will allow two pending
connections. Between the fourth and tenth connection the system will start randomly dropping
connections from 40% up to 100% at the tenth simultaneous connection. This should be set in
sshd_config:
(MaxStartups 1:20:5)
In a multi-user or server environment, these numbers should be set significantly higher
depending on resources and demand to slow denial-of-access attacks. Setting a lower the login grace
time (time to keep pending connections alive while waiting for authorization) can be a very good idea as
it frees up pending connections quicker but at the expense of convenience.
(LoginGraceTime 20)
5th (Log More Information):
By default, the OpenSSH server logs to the (AUTH) facility of Syslog, at the INFO level. If a
programmer wants to record more information - such as failed login attempts - hewould increase the
logging level to VERBOSE.
Available Online at: www.ijrier.com Page 18
Volume: 01 Issue: 07 November – 2016
To increase the level of information, find the following line in sshd_config:
LogLevel INFO
and change it to this:
LogLevel VERBOSE
6th (Display a Banner):
If a programmer wants to try to scare attackers, it can be funny to display a banner containing
legalese. This doesn't give any security because anyone that's managed to break in won't care about a
"no trespassing" sign--but it might give a bad guy a chuckle.To add message as a banner that will be
displayed before authentication, find this line:
#Banner /etc/issue.net
and replace it with:
Banner /etc/issue.net
The massage is added by writing the instruction :
sudo gedit /etc/issue.net
Figure (2) illustrate the message to scare the attackers.
Figure(2) the message to scare the attackers.
IV.RESULTS
Editing sshd_config is finished, make sure that changes is saved before restarting SSH daemon. First,
checking that SSH daemon is running:
(ps -A | grep sshd)
The results should be a line like this:
(<some number> ? 00:00:00 sshd)
Available Online at: www.ijrier.com Page 19
Volume: 01 Issue: 07 November – 2016
Next, try logging in from own computer:
(ssh -v localhost)
This print debugging information and try to connect to own SSH server. A programmerwould
be prompted to type a password, and hewould get another command-line when he typeshis password in.
If this works, then his SSH server is listening on the standard SSH port. If he has set his computer to
listen on a non-standard port, then he will need to return and comment out (or delete) a line in his
configuration that reads Port 22. Otherwise, his SSH server has been configured correctly.
leaving the SSH command-line by type: Exit
V. CONCLUSION
This changes gave SSH more security.So a programmer can use SSH as a channel secure in
sensitive communications that require security such as using database found in the cloud.
REFERENCES
[1] Daniel Barrett and Richard E. Silverman," SSH, the Secure Shell: The Definitive Guide", USA: O'Reilly & Associates,
2001.
[2] Nicholas Rosasco and David Larochelle, "How and Why More Secure Technologies Succeed in Legacy Markets:
Lessons from the Success of SSH".2004
[3] Stebila D. and Green J., "RFC5656 - Elliptic Curve Algorithm Integration in the Secure Shell Transport
Layer",November 2012.
[4] Miller D. and Valchev P., "The use of UMAC in the SSH Transport Layer Protocol / draft-miller-secsh-umac-00.txt",
2012.
[5] Sobell, Mark ," A Practical Guide to Linux Commands, Editors, and Shell Programming (3rd Edition)", Upper Saddle
River, NJ: Prentice Hall. pp. 702–704. ISBN 978-0133085044,2012.
[6] Damien Miller ." SSH tips, tricks & protocol". August 2002.
[7] Florian Bergsm , Benjamin Dowling, Florian Kohlar , Jorg Schwenk and Douglas Stebila ," Multi-cipher suite security
of the Secure Shell (SSH) protocol ". August 19, 2014.
Available Online at: www.ijrier.com Page 20